curl: fix CVE-2021-22925

CVE-2021-22925 Reported-by: Red Hat Product Security Bug: https://curl.se/docs/CVE-2021-22925.html (From OE-Core rev: ee0340c35f811dd1c0926480673a7fec7bbb985b) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <mingli.yu@windriver.com> 2021-08-02 17:37:25 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-14 12:01:44 +0100
commit: f897796b0958d6c696b81f9f1d9cb7cb9a892a57 (patch)
tree: d316eed183007386efa1ce2da612bded9234fb31 /meta/recipes-support
parent: 2e6a9d0ea3766d7c7e157ac1e834d18762abf403 (diff)
download: poky-f897796b0958d6c696b81f9f1d9cb7cb9a892a57.tar.gz
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..e3009c9533
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,50 @@
+From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+CVE-2021-22925
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+CVE: CVE-2021-22925
+Upstream-Status: Backport [https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1d3024ec4..a81bb81c3 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
+          int rv;
+          char sep[2] = "";
+          varval[0] = 0;
+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
+          if(rv == 1)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s", CURL_NEW_ENV_VAR, varname);
+          else if(rv >= 2)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.17.1
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 42be2eb0b5..b2aad0bbc2 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://vtls-fix-warning.patch \
           file://CVE-2021-22898.patch \
           file://CVE-2021-22897.patch \
+           file://CVE-2021-22925.patch \
 "
 SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
author	Mingli Yu <mingli.yu@windriver.com>	2021-08-02 17:37:25 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-14 12:01:44 +0100
commit	f897796b0958d6c696b81f9f1d9cb7cb9a892a57 (patch)
tree	d316eed183007386efa1ce2da612bded9234fb31 /meta/recipes-support
parent	2e6a9d0ea3766d7c7e157ac1e834d18762abf403 (diff)
download	poky-f897796b0958d6c696b81f9f1d9cb7cb9a892a57.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..e3009c9533 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,50 @@
		1	From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Sat, 12 Jun 2021 18:25:15 +0200
		4	Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
		5
		6	CVE-2021-22925
		7
		8	Reported-by: Red Hat Product Security
		9	Bug: https://curl.se/docs/CVE-2021-22925.html
		10
		11	CVE: CVE-2021-22925
		12
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a]
		14
		15	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		16	---
		17	lib/telnet.c \| 17 +++++++++++------
		18	1 file changed, 11 insertions(+), 6 deletions(-)
		19
		20	diff --git a/lib/telnet.c b/lib/telnet.c
		21	index 1d3024ec4..a81bb81c3 100644
		22	--- a/lib/telnet.c
		23	+++ b/lib/telnet.c
		24	@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data)
		25	size_t tmplen = (strlen(v->data) + 1);
		26	/* Add the variable only if it fits */
		27	if(len + tmplen < (int)sizeof(temp)-6) {
		28	- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
		29	- msnprintf((char *)&temp[len], sizeof(temp) - len,
		30	- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
		31	- CURL_NEW_ENV_VALUE, varval);
		32	- len += tmplen;
		33	- }
		34	+ int rv;
		35	+ char sep[2] = "";
		36	+ varval[0] = 0;
		37	+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
		38	+ if(rv == 1)
		39	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
		40	+ "%c%s", CURL_NEW_ENV_VAR, varname);
		41	+ else if(rv >= 2)
		42	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
		43	+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
		44	+ CURL_NEW_ENV_VALUE, varval);
		45	}
		46	}
		47	msnprintf((char *)&temp[len], sizeof(temp) - len,
		48	--
		49	2.17.1
		50


diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 42be2eb0b5..b2aad0bbc2 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
17	file://vtls-fix-warning.patch \	17	file://vtls-fix-warning.patch \
18	file://CVE-2021-22898.patch \	18	file://CVE-2021-22898.patch \
19	file://CVE-2021-22897.patch \	19	file://CVE-2021-22897.patch \
		20	file://CVE-2021-22925.patch \
20	"	21	"
21		22
22	SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"	23	SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"